Security Best Practices Guide for Cisco Unified Contact ...

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted

Releases 8.x(y)

June 2012

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0833

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Copyright 2012 Cisco Systems, Inc. All rights reserved.

Table of Contents

Preface ...........................................................................................................................................................1 Purpose .....................................................................................................................................................1 Audience ....................................................................................................................................................2 Organization ..............................................................................................................................................2 Related Documentation..............................................................................................................................3 Product Naming Conventions.....................................................................................................................4 Conventions................................................................................................................................................5 Obtaining Documentation and Submitting a Service Request...................................................................6 Documentation Feedback...........................................................................................................................6

1. Encryption Support.....................................................................................................................................7 User and Agent Passwords........................................................................................................................7 Call Variables and Extended Call Variables................................................................................................7 Internet Script Editor, Agent Re-skilling and WebView...............................................................................8 CTI OS C++/COM Toolkit...........................................................................................................................8 Cisco Contact Center SNMP Management Service...................................................................................9 Cisco Support Tools....................................................................................................................................9 Additional Encryption..................................................................................................................................9

2. IPSec and NAT Support............................................................................................................................11 About IPSec.............................................................................................................................................11 About NAT................................................................................................................................................12 Support for IPSec (IP Security) in Tunnel Mode.......................................................................................12 Support for IPSec (IP Security) in Transport Mode...................................................................................13 System Requirements.........................................................................................................................13 Supported Communication Paths .......................................................................................................13 Configuring IPSec Policy.....................................................................................................................15 IPSec Connection to Unified CM..............................................................................................................17 Monitoring IPSec Activity..........................................................................................................................17 IPSec Monitor......................................................................................................................................17 IPSec Logging.....................................................................................................................................17 Network Monitoring..............................................................................................................................18 System Monitoring ..............................................................................................................................18 Securing Support Tools Using IPSEC......................................................................................................19 Support Tools IPSEC Configuration Example............................................................................................? Support for NAT (Network Address Translation).......................................................................................20 NAT and CTI OS.......................................................................................................................................20 IPSec and NAT Transparency...................................................................................................................21 Additional IPSec References....................................................................................................................21

3. Applying IPSec with the Network Isolation Utility......................................................................................23 About IPSec.............................................................................................................................................23 Deploying IPSec Manually Versus Deploying It Via the Network Isolation Utility......................................24 About the Cisco Network Isolation Utility..................................................................................................24 An Illustration of Network Isolation Utility Deployment.............................................................................25 How the Network Isolation Utility Works...................................................................................................25 IPSec Terminology...............................................................................................................................25 The Network Isolation Utility Process..................................................................................................26 About Encrypting Traffic............................................................................................................................27 How to Deploy the Network Isolation Feature..........................................................................................27

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x(y)

i

Important Deployment Tips..................................................................................................................28 Sample Deployment.............................................................................................................................28 Devices That Must Communicate with One Another...........................................................................33 Typical Boundary Devices....................................................................................................................35 Caveats....................................................................................................................................................36 How to Do a Batch Deployment...............................................................................................................37 How to Run the Network Isolation Utility from the Command Line...........................................................38 How to Monitor the Network Security.......................................................................................................42 Troubleshooting the Network Isolation IPSec Policy.................................................................................42

4. Windows Server 2003 Firewall Configuration............................................................................................45 Cisco Firewall Configuration Utility Prerequisites.....................................................................................46 Using the Cisco Firewall Configuration Utility...........................................................................................47 Verifying New Windows Firewall Settings.................................................................................................47 Configuring Windows Server 2008 R2 Firewall to Communicate with Active Directory...........................48 Configuring Domain Controller Ports...................................................................................................48 Restrict FRS Traffic to a Specific Static Port........................................................................................48 Restrict Active Directory Replication Traffic to a Specific Port.............................................................49 Configure Remote Procedure Call (RPC) Port Allocation....................................................................49 Windows Server 2000 and 2008 R2 Firewall Ports.............................................................................49 Testing Connectivity.............................................................................................................................50 Validating Connectivity.........................................................................................................................50 Understanding the CiscoICMfwConfig_exc.xml File.................................................................................51 Troubleshooting Windows Firewall............................................................................................................52 General Troubleshooting Notes............................................................................................................52 Windows Firewall Interferes with Router Private Interface Communication.........................................52 Windows Firewall Shows Dropped Packets but no Unified ICM or Unified CCE Failures are Evident.52 Undo Firewall Settings.........................................................................................................................53

5. Automated Security Hardening Settings on Windows Server 2003..........................................................55 Applying/Removing ICM Security Settings...............................................................................................56 Applying ICM Security Settings During Setup.....................................................................................56 Manually Installing Cisco ICM Security Settings..................................................................................56 Rolling Back Security Settings.............................................................................................................57 Account Policies Settings.........................................................................................................................58 Password Policy...................................................................................................................................58 Account Lockout Policy........................................................................................................................58 Kerberos Policy....................................................................................................................................59 Local Policies............................................................................................................................................59 Audit Policy..........................................................................................................................................59 User Rights Assignment......................................................................................................................60 Security Options..................................................................................................................................62 Event Log.................................................................................................................................................69 System Services.......................................................................................................................................69 Settings for System Services...............................................................................................................69 Registry....................................................................................................................................................76 File System...............................................................................................................................................76

6. Applying Security with the Cisco Unified Contact Center Security Wizard...............................................79 About the Cisco Unified Contact Center Security Wizard.........................................................................79 Configuration and Restrictions.................................................................................................................80 How to use the Wizard..............................................................................................................................80 Example Security Wizard Usage..............................................................................................................82

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x(y)

ii

Example Windows Hardening Configuration Panels................................................................................83 Example Windows Firewall Configuration Panels.....................................................................................85 Example Network Isolation Configuration Panels.....................................................................................88 Example SQL Hardening Panels..............................................................................................................92

7. Updating Microsoft Windows ....................................................................................................................95 Microsoft Security Updates......................................................................................................................95 Microsoft Service Pack Policy...................................................................................................................97 Configuring the Server to use an Alternate Windows Update Server..................................................97

8. SQL Server Hardening..............................................................................................................................99 SQL Server Hardening Suggestions........................................................................................................99 Top Hardening Suggestions.................................................................................................................99 SQL Server Users and Authentication...............................................................................................102 SQL Server 2005 Security Considerations.............................................................................................103 Automated SQL 2005 Hardening.......................................................................................................103 SQL Server Security Hardening Utility...............................................................................................104 Manual SQL 2005 Server Hardening.................................................................................................105

9. Cisco SSL Encryption Utility...................................................................................................................107 About the SSL Encryption Utility............................................................................................................107 Installing SSL During Setup...............................................................................................................108 SSL Encryption Utility in Standalone Mode.......................................................................................108 Enabling the Transport Layer Security (TLS) 1.0 Protocol.................................................................110

10. Intrusion Prevention and Cisco Security Agent.....................................................................................111 What are Cisco Security Agent Policies?...............................................................................................111 Types of Agents......................................................................................................................................112 Managed Agent.................................................................................................................................112 Standalone Agent..............................................................................................................................112

11. Microsoft Baseline Security Analyzer (MBSA)......................................................................................113 Security Update Scan Results................................................................................................................114 Windows Scan Results...........................................................................................................................114 Internet Information Services (IIS) Scan Results...................................................................................115 SQL Server Scan Results......................................................................................................................116 Desktop Application Scan Results..........................................................................................................117

12. Auditing ................................................................................................................................................119 How to View Auditing Policies.................................................................................................................119 Security Log...........................................................................................................................................120 Real-Time Alerts.....................................................................................................................................120 SQL Server Auditing Policies..................................................................................................................120 SQL Server C2 Security Auditing......................................................................................................120 Active Directory Auditing Policies...........................................................................................................120

13. General Anti-Virus Guidelines and Recommendations.........................................................................123 Guidelines and Recommendations.........................................................................................................124 Unified ICM/ Unified CCE Maintenance Parameters..............................................................................125 Logger Recommendations ................................................................................................................125 Distributor Recommendations...........................................................................................................125 CallRouter and PG Recommendations..............................................................................................126 Other Scheduled Tasks Recommendations.......................................................................................126 File Type Exclusion Recommendations..................................................................................................126

Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Releases 8.x(y)

iii

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download